I believe in using every tool available to put your best foot forward. The thoughts and experiences on this page are my own; I use AI to help ensure grammar is accurate.
If you work in IT for a small Iowa school, local government, or business, you’ve probably heard the term “Cyber Kill Chain.” It sounds technical, but it’s actually a simple framework that shows how attackers move through a network, and where you can stop them.
The best way to understand it is to watch a real attack unfold, stage by stage. Let’s use APT29 as our example. APT29 (also called Cozy Bear) is a threat actor believed to be backed by Russian intelligence. They’ve targeted U.S. government agencies, think tanks, and organizations across multiple sectors. By following their actual playbook through each stage, you’ll see exactly where defenses matter most.
Stage 1: Reconnaissance
APT29 doesn’t just pick a target and attack. They research. They might scan public websites for employee information, check LinkedIn profiles, review DNS records, or look for any detail that gives them an opening.
In a real campaign, they looked for email addresses, organization structures, and software systems used by their target. For a small organization, this might mean an attacker Googling your school’s staff directory or checking your city’s public websites for names of IT staff.
What you can do: Keep public-facing information minimal. Review what’s on your website. Do you really need to list everyone’s full name and email? Probably not.
Stage 2: Weaponization
Once APT29 knows enough about their target, they build a tool or prepare a malicious file. This isn’t always complicated — it might be a Word document rigged with malicious code, a fake login page, or a specially crafted email attachment.
For a spear-phishing campaign, they’d take the information from stage 1 and craft a message designed to trick a specific person into opening that weapon.
What you can do: Train staff to recognize phishing. Real phishing emails often have slight grammatical errors, odd sender addresses, or urgent-sounding requests. Teach people to pause before clicking. This is becoming increasingly difficult as the AI revolution gains prominence.
Stage 3: Delivery
APT29 sends the weapon to the target. Usually, it arrives via email — a phishing email that looks legitimate because the attacker did their homework in stage 1.
The email might say something like “Review attached document” or “Update your password here,” and appear to come from someone inside the organization. For a school, it might impersonate the lone IT staff member or the person who manages your passwords.
What you can do: Use email filtering. Many free, low-cost, or even built-in tools you already have but have not configured can catch suspicious emails before they reach inboxes. Also, enable multi-factor authentication (MFA) — it stops attackers even if they trick someone into sharing a password.
Stage 4: Exploitation
The target opens the malicious file or clicks a link. The weapon activates. APT29 has historically used zero-day vulnerabilities (flaws nobody knew about yet) and exploits outdated software that people haven’t patched.
Once they’re in, they have a foothold on the network. At this point, the attacker might have just one compromised computer, but they’re inside.
What you can do: Keep software updated. Patch operating systems, browsers, and applications regularly. I know this is a pain, but it blocks most attacks. Also, use endpoint protection (antivirus/anti-malware tools).
Stage 5: Installation
APT29 doesn’t want to rely on one phishing email. They want to stay inside, even if the initial weapon is discovered. So they install a backdoor — a permanent way back in.
This might be a hidden file, a scheduled task that runs in the background, or a user account nobody knows about. The goal is persistence. Even if the original phishing email is deleted, the attacker can come back at any time.
What you can do: Monitor what’s being installed on your systems. If you have a small IT team this is hard, but many security tools can flag unusual software. Also, regularly check who has user accounts and admin access (not everyone needs admin access).
Stage 6: Command and Control
Now the attacker needs to communicate with the backdoor they installed. APT29 uses a “command and control” server, essentially a computer they control that sends instructions to the compromised machine.
The backdoor “phones home” regularly to check for commands. The attacker might command it to steal files, move laterally to other computers, or turn off security tools.
What you can do: Monitor network traffic for unusual activity. Is a computer reaching out to unknown servers outside your organization, or is a user account doing things at times when it shouldn’t? That’s a red flag. Many organizations use tools like Splunk or even basic network monitoring to catch this.
Stage 7: Actions on Objectives
Finally, APT29 does what they came to do. For a government-targeting campaign, this might involve stealing documents. In a ransomware operation, it encrypts files and demands payment. For reconnaissance, it’s gathering information about the network.
In one known case, APT29 accessed Treasury Department systems and extracted files. In another, they moved laterally from one compromised machine to dozens of others before deploying backup access points.
What you can do: Limit what any one person can access. If the finance director’s email is compromised, they shouldn’t automatically have access to student records or personnel files. Use role-based access control. Also, back up your critical data off-site so you can recover even if files are encrypted.
The Bigger Picture
The Cyber Kill Chain isn’t about preventing attackers — it’s about breaking the chain. If you stop them at reconnaissance, you win. If you catch them at delivery, you win. If you detect them at command and control, you win.
Sophisticated attackers like APT29 will eventually move to the next stage, so defense has to happen at every level (we call this defense in depth). Your job isn’t to be perfect. It’s to make the attack expensive, slow, and detectable.
For small organizations with limited budgets, the priorities are clear: patch your systems, train your people, use email filtering and MFA, and monitor what’s happening on your network. That’s not everything, but it’s a big part that matters most.
